Suppose I have two users who are issued two different UProve IDs. The Issuer has guaranteed that one UProve token bearer will never have more than one UProve token ID.

How can I use UProve to guarantee that two users are "different" without disclosing their actual private ID?

Here is a scenario: An online voting system wants to use UProve to anonymously collect votes. They decide to trust an Issuer who has full knowledge of the end user, but the relying pary has to accept the fact that they will know nothing about the end user at all.

The polling station (relying party) only needs to know that the same UProve ID wasn't used to cast a second vote. The only UProve scenario I know of that would work here is proving the user's SSN (or similar fixed ID).

3 Answers
3

Upon setup the issuer can have extra attributes available that upon request of authorization from the prover the verifier can have access to. The verifier could use such an attribute and only successfully verify if it hasn't seen that attribute before.

So that means the issuer needs N attributes, and selectively disclosing them one by one? I suppose I need to mention that the quantity of locations the UProve user will be dealing with numbers in the the millions. A UProve token with just 255 proofs takes quite a long time to generate. I hope there is another solution.
–
makerofthings7Mar 27 '13 at 16:53

What information would be in that attribute? Is it encrypted data?
–
makerofthings7Sep 27 '13 at 14:58

Uprove/anonymous credentials in general seems a bit heavy handed for that. You could accomplish it with simple Chaum style e-cash. The issuer does a blind signature on a serial number. To vote, you reveal the serial number and signature. Its anonymous and doesn't allow duplicate voting.

In fact, since u-prove credentials are single show, you could cause u-prove to do this by simply only issuing a single credential to each user.

As a general note, you can do what you want with locally revokable anonymous credentials since the relying party can simply revoke the credential once it's used. I don't believe Uprove supports this, but other systems do.

I'm very interested in learning how this would operate, though the Wiki page for ecash is of no use, and all the pages are dead. Do you have any more info or references so I can understand what you mean by a "blind signature on a serial number"... and it's removal?
–
makerofthings7Apr 11 '13 at 0:35

@makerofthings7 There is a rather decent wikipedia article on blind signatures that shows the basic RSA construction. Is that insufficient?
–
imichaelmiersApr 11 '13 at 19:25

U-Prove TokenID is a hash output, so it may be not the best way to prove "not the same" statement. One would also consider inequality proof for a subset of user attributes instead. For each such attribute pair, "not the same" would mean an inverse exists for attribute difference, modulo group order. One would prove knowledge of such inverses while keeping them secret, "AND"-combined with regular proof of knowledge of attributes.

To run a prover for such a protocol, one needs sharing attributes for that users, so it is not always desirable. This makes straightforward not-equal proof outlined less applicable for voting scenario.

One would approach voting with registration authority assigning distinct userID attributes, and another authority running an accumulator for that IDs while accepting ballots. U-Prove fits handling attributes.